Role management

更新时间:
复制 MD 格式

Roles are logical groups within a user pool that differentiate user permissions. You can define roles and assign them to users. Role information is written to the ID Token. Combined with Agent Identity policies, roles allow you to implement role-based access control (RBAC). This topic describes how to create, assign, and delete roles.

Role overview

Roles in a user pool group users and segment their permissions. A role's primary functions are:

  • Inclusion in the ID Token: When a user logs in, the system writes their assigned roles as a claim to the ID Token issued to the client application.

  • Policy matching: In an Agent Identity policy statement, you can use a role as a principal condition to implement role-based access control (RBAC). For example, you can allow the admin role to perform all actions, while the viewer role can only perform read-only actions.

Default role

When you create a user pool, the system automatically generates a default role. This default role has the following characteristics:

  • Automatic assignment: When a new user is created, the system automatically assigns the default role to them. You can unassign the default role after you assign custom roles to the user.

  • Baseline permissions: You can use the default role to grant basic Agent Identity permissions to all users.

Create a role

Create custom roles for fine-grained control over user permissions.

  1. Log on to the Agent Identity console.

  2. In the left-side navigation pane, choose Identities > User Pools.

  3. Click the name of the user pool to view its details page.

  4. Click the Roles tab.

  5. Click Create Role.

  6. On the Create Role page, enter a Role Name and an optional Description, and then click Create Role.

Assign a role

Assign roles to users in the user pool. A user can have multiple roles.

  1. From the Roles tab:

    1. In the role list, click the name of the target role.

    2. On the role details page, click Role Assignments > Create Role Assignment.

    3. In the Create Role Assignment dialog box, select the users you want to assign the role to, and then click Create Role Assignment.

  2. From the Users tab:

    1. In the user list, click the name of the target user.

    2. On the user details page, click Role Assignments > Create Role Assignment.

    3. In the Create Role Assignment dialog box, select the roles to assign to the user, and then click Create Role Assignment.

After the assignment is complete, the user's ID Token will include a claim for this role upon their next SSO logon.

Remove a role

To revoke a user's permissions for a specific role, remove that role from the user.

  1. From the Roles tab:

    1. In the role list, click the name of the target role.

    2. On the role details page, click the Role Assignments tab.

    3. In the user list, find the target user and, in the Actions column, click Delete Role Assignment.

    4. In the confirmation dialog box, click OK.

  2. From the Users tab:

    1. In the user list, click the name of the target user.

    2. On the user details page, click the Role Assignments tab.

    3. In the list of assigned roles, find the role that you want to unassign.

    4. In the Actions column, click Delete Role Assignment.

    5. In the confirmation dialog box, click OK.

Delete a role

When a role is no longer needed, you can delete it.

Important

After you delete a role, all users assigned to it lose the associated permissions. The role claim will not appear in their ID Tokens in subsequent logons. This action cannot be undone.

  1. In the role list, find the target role and, in the Actions column, click Delete Role.

  2. In the confirmation dialog box, enter the name of the role to delete, and then click Delete Role.

Role-based access control example

The following example shows how to use roles and policies together to implement RBAC. Assume you have created two roles: admin and viewer.

  • Add a policy to the policy set that allows users with the admin role to perform all actions.

  • Add another policy that allows users with the viewer role to perform only read-only actions.